Use consistent idiom for X509_get_ext_d2i()
X509_get_ext_d2i() is special. A NULL return value can be either a
success or a failure scenario: an extension may legitimately be absent.
However, to find out whether it was absent or an error ocurred, you need
to pass in &crit, a pointer to an int. Its purpose is to indicate whether
the extension was marked critical or not.
If the return value was NULL, crit becomes an error indicator:
crit == -1 means the extension was not found. This can be an error or fine
depending on the extension. Handle this accordingly. In particular for
basic constraints, if they are missing or non-critical, this is an error.
If crit == -2 then multiple extensions with the same OID as the nid
requested are present. this means the cert is non-conformant to RFC 5280.
If crit >= 0, then something weird happened. Either memory allocation
failed or the extension could not be parsed. It is not easily possible to
tell which.
In short, if crit != -1, drop the cert on the floor like a hot potato.
Add warnings where possible. For x509_any_inherits() this needs some more
work, but that will be done in a different diff another day.
ok job
projects / openbsd / commit